Sophos

W32/Assiral-A

Category
Type
What to do
Prevalence low high

Summary

 
How it spreads
  • Email attachments
  • Network shares
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Protection available since 18 February 2005 14:57:18 (GMT)
Detected by All Sophos products
Download Free virus scan
Download the Threat Detection Test
  • Free virus, spyware, and adware scan
  • Test your existing anti-virus protection
  • Find threats your anti-virus missed

Action

More Information

W32/Assiral-A is a mass mailing worm which attempts to spread itself by sending emails with the following characteristics to addresses found in the victim's address book:

Subject: Re: LOV YA!

Body: Kindly read and reply to my LOVE LETTER in the attachments :-)

Attachment: LOVE_LETTER.TXT.exe

A typical email sent by the W32/Assiral-A worm
A typical email sent by the W32/Assiral-A worm.

W32/Assiral-A will attempt to copy itself to floppy drives and network shares.

On opening the attachment, W32/Assiral-A will open a web page through Internet Explorer at geocities.com. W32/Assiral-A will attempt to modify Internet Explorer's homepage to the same page.

It will also attempt to kill off various security related applications and disable various capabilities of Windows. W32/Assiral-A is a mass mailing worm which attempts to spread itself by sending emails with the following characteristics to addresses found in the victim's address book:

Subject: Re: LOV YA!

Body: Kindly read and reply to my LOVE LETTER in the attachments :-)

Attachment: LOVE_LETTER.TXT.exe

A typical email sent by the W32/Assiral-A worm
A typical email sent by the W32/Assiral-A worm.

W32/Assiral-A will drop the following files into the system:

C:\message.txt
%Windows%\SpoolMgr.exe
%Windows%\love_letter.txt.exe
%System32%\MS_LARISSA.exe
C:\windows\winvbs_32.vbs
C:\windows\system32\reg_32.vbs
C:\larissa_anti_bropia.html

A message dropped by the W32/Assiral-A worm
A message dropped by the W32/Assiral-A worm.

The worm will attempt to autostart itself with the following registry entries:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
MS_LARISSA = %system32%\MS_LARISSA.exe

HKLM\software\microsoft\windows\currentversion\run
spoolsv manager = %windows%\SpoolMgr.exe

And set the following registry entries:

HKCR\software\microsoft\windows\currentversion\policies\system\
noadminpage = 1

HKCR\software\microsoft\windows\currentversion\policies\explorer\
dword:03ffffff

HKCR\software\microsoft\windows\currentversion\policies\system\
disableregistrytools = 1

HKCR\software\microsoft\windows\currentversion\policies\explorer\
norun = 1

HKCR\software\microsoft\windows\currentversion\policies\winoldapp\
disabled = 1

HKCU\Software\Microsoft\WAB\
Contacts = <number of contact in outlook address book>

which will disable various administration functions in Windows.

W32/Assiral-A may periodically create a pop-up window to display the contents of C:\larissa_anti_bropia.html.

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer